Signing git commits using GPG keys

Previously we talked about gpg keys, this week we are going to be talking about an application of gpg keys ie signing git commits using them

But why do I need to sign my commits

Git is cryptographically secure. But as with most things on the internet, you can't trust what you see. But you don't have to extremely skeptical either, the least you can do is ensure that whatever stuff you put on there is trusted and verified.

What exactly Is GPG?

GPG stands for GnuPG which is a free implementation of the OpenPGP standard for encryption. It is a command-line tool which helps you manage your keys and helps you create new ones when needed.

As Edward Snowden has rightly said,

Arguing that you don't care about the right to privacy because you have nothing to >hide is no different from saying you don't care about free speech because you have >nothing to say.

Not to bore you out of your seats, let us get to it and get our hands dirty.

Configuring GPG

First of all, you need gpg configured and your key installed. For that, open your terminal and execute this -

gpg --list-keys

This tells you if you have already had any keys. If you don't, go ahead and generate one by typing in -

gpg --gen-key

This will ask you a series of questions. Go ahead and answer them, and finally you are going to get a gpg key.

For more information on getting a gpg key, refer to our last blogpost about Introduction to GPG Keys.

Now that you finally have a key, you can use it to start signing things such as your commits and tags. For people who don't know what tags are, they are used to signify important milestones in a repositories history.

Ok now back to signing commits. So now you finally have a gpg key, let us configure it to sign your commits.

Now when you do a gpg --list-keys you are going to see something similar to this -

$ gpg --list-keys

/Users/schacon/.gnupg/pubring.gpg
---------------------------------
pub 2048R/0A46826A 2014-06-04
uid Scott Chacon (Git signing key) <schacon@gmail.com>
sub 2048R/874529A9 2014-06-04

The characters in the pub line before the slash are the ones useful to us. So, copy them down somewhere.

Now let us tell git to sign using this key -

$ git config --global user.signingkey 0A46826A

Git is now going to use our key to sign all our commits. Go ahead and sign your first commit by using this -

$ git commit -a -S -m 'Signed commit'

You need a passphrase to unlock the secret key for
user: "Scott Chacon (Git signing key) <schacon@gmail.com>"
2048-bit RSA key, ID 0A46826A, created 2014-06-04

[master 5c3386c] Signed commit
4 files changed, 4 insertions(+), 24 deletions(-)
rewrite Rakefile (100%)
create mode 100644 lib/git.rb

You can also see what commits you have in your history which have been signed or unsigned by using this -

$ git log --show-signature -1

You are going to see something similar to this -

commit 9368a922432e8caa6ee84eb800994322bef55095 (HEAD -> master, origin/master)
gpg: Signature made Monday 15 June 2020 09:28:28 AM IST
gpg: using RSA key B27561095B6B3DC15182CD75453432554F506A4B
gpg: Good signature from "Manav Sethi <manav.sethi@outlook.in>" [ultimate]
Author: insaanimanav <manav.sethi@outlook.in>
Date: Mon Jun 15 09:28:28 2020 +0530

Initial Commit

This means that the commit was properly signed and it can be verified.

But the next problem is what if you want git to automatically sign your commits each time without you explicitly telling it with the ** -S ** option. There is a way to prevent this. To make git automatically sign your commits you can use this

$ git config commit.gpgsign true

This is all about signing your commits locally. But there is another benefit to signing commits, which is that you can put your gpg key upon your git server and let it verify that the commit came directly from you. This can help in preventing Man In The Middle - MITM attacks.

For this guide, I am going to be using Github. But you can use whatever git server you are using.

• First of all, go ahead and login to your GitHub account.
• Head to the menu in the top right and select settings from it.
• In settings, go to the section of ssh keys and gpg keys and then go to the gpg keys. Click on add.
• This will prompt you to enter your key. Export your key and paste it here.

Voila! Now you have your gpg key imported in Github and can start working with it.

All the commits that you push to Github are now going to say verified in front of them, which means that they came directly from you.